FS#25713 - [php] php 5.3.7 has an extremely critical vulnerability, downgrade suggested

Attached to Project: Arch Linux
Opened by Massimiliano Torromeo (mtorromeo) - Monday, 22 August 2011, 13:04 GMT
Last edited by Dave Reisner (falconindy) - Monday, 22 August 2011, 15:35 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The latest "stable" release of PHP (5.3.7) has a critical vulnerability in the crypt function, that may allow unauthorized access to websites that use that function for password verification and other similar situations.

See bug https://bugs.php.net/bug.php?id=55439

The PHP developers suggest on the frontpage (http://php.net/) to wait to upgrade until 5.3.8 is released (hopefully soon).
This task depends upon

Closed by  Dave Reisner (falconindy)
Monday, 22 August 2011, 15:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  php-5.3.7-3
Comment by Pierre Schmitz (Pierre) - Monday, 22 August 2011, 13:42 GMT
PHP 5.3.6 has known security issues; downgrading to that version would not be sane imho. I would recommend to update to 5.3.7-3 in which the mentioned issue has been fixed. You can check this yourself by running the test case shown on the PHP bug report you have linked to.
Comment by Massimiliano Torromeo (mtorromeo) - Monday, 22 August 2011, 13:52 GMT
Of course, fixing just the bug itself is even better than a downgrade.
I still see 5.3.7-2 as the last published package (verified to be vulnerable). I'll wait for 5.3.7-3.

Thanks!
Comment by Massimiliano Torromeo (mtorromeo) - Monday, 22 August 2011, 15:27 GMT
Just tested php-5.3.7-3 and it is indeed free of this bug. Thanks!

Loading...